About Us

News and Events

For PCI Multi-Factor Authentication is Now Required for Everyone…and You Better Hurry

The “Payment Card Industry Data Security Standard” (PCI DSS) has long been a security and compliance driver for merchants, banks, hospitals, governments and anyone else that handles payment card information. PCI DSS standards are very prescriptive on what is expected in order to secure payment card data at rest and in motion, and also to require individual accountability while limiting access to only those with a need to know. Recently, the PCI council announced the latest release of PCI DSS version 3.2. This update includes 47 total clarifications, eight evolving requirements and three additional items of guidance. One of the evolving requirements now specifically requires multi-factor authentication (MFA) into the cardholder data environment (CDE).

It turns out that requirement eight, “Identify and authenticate access to system components,” has actually required MFA since version 1.0, but only for remote access from external networks into the CDE. However PCI DSS 3.2 section 8.3 now requires multi-factor authentication for all personnel with administrative access, not just personnel with remote access to the CDE.

[A] significant change in PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with administrative access into the cardholder data environment, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information, even if they are within a trusted network…The most important point is that the change to the requirement is intended for all administrative access into the cardholder data environment, even from within a company’s own network. This applies to any administrator, whether it be a third party or internal, that has the ability to change systems and other credentials within that network to potentially compromise the security of the environment.

This is an significant change because the PCI council is now reflecting the real world facts that even our internal networks and users need to employ additional layers of protection. As discussed in previous posts, compromised credentials are the leading vector of cyber attacks. That is why a single password by itself can no longer be considered adequate protection as reflected in this new PCI requirement.

Audit and Compliance to track, monitor and record all access to network resources and cardholder data.

Isolation and Encryption to ensure firewall configuration to protect cardholder data and to encrypt transmission of cardholder data across open, public networks.

Importantly Centrify also provides:

Multi-factor Authentication for any personnel, local or remote, with administrative access into the cardholder data environment (CDE), even if they are within a trusted network.

In fact, Centrify has the ideal solution for providing MFA into PCI systems and applications by leveraging users’ mobile devices for hassle-free MFA. Choose from push notifications, secure OTP, SMS, email, voice and more. You can even augment the solution with adaptive, step-up and customized per-app MFA policies.

Not only that, but users love the MFA experience that Centrify provides. Easy one-click access for end users and centrally managed access for IT.

But why bandaid the problem with MFA for just access to your CDE. This puts up productivity hurdles for your users and leaves gaps in your security posture. Instead, look to enforce a single MFA policy across all of your internal and external users across your servers, apps and devices, regardless of whether they are on-premises or in the cloud? Only Centrify secures access to both IT infrastructure and apps for all users in an increasingly cloud and mobile world.

Centrify protects against the leading point of attack used in data breaches ― compromised credentials — by securing an enterprise’s internal and external users as well as its privileged IT accounts. Centrify delivers stronger security, continuous compliance (including PCI DSS 3.2) and enhanced user productivity across an enterprise’s on-premise servers, apps and networks as well as its mobile, IaaS and SaaS environment through single sign-on (SSO), MFA, mobile and Mac management and privileged access security.

Centrify CEO Tom Kemp, an industry expert in security and infrastructure software, discusses market and technology issues around the disruption occurring in the Identity and Access Management market due to the cloud, mobile and consumerization of IT trends occurring in today's IT environment.